supporting businesses with their occupational health needs for over 20 years


GDPR Compliance

Industrial Healthcare Limited (IHL) Compliance Statement


IHL is committed to the principles inherent in the GDPR and particularly to the concepts of privacy by design, the right to be forgotten, consent and a risk-based approach. In addition, IHL aims to ensure:

  • transparency with regard to the use of data

  • that any processing is lawful, fair, transparent and necessary for a specific purpose

  • that data is accurate, kept up to date and removed when no longer necessary

  • that data is kept safely and securely


IHL's Data Protection Officer (DPO) is Dr Roddy Lennox, who oversees the Company's commitment to best practice and monitors compliance.

Right to be forgotten

We recognise the right to erasure, also known as the right to be forgotten, laid down in the GDPR. Individuals should contact with requests for the deletion or removal of personal data. These will be acted on provided there is no compelling reason for continued processing and that the exemptions set out in the GDPR do not apply. These exemptions include where the personal data is processed for the exercise or defence of legal claims and to comply with a legal obligation for the performance of a public interest task or exercise of official authority.

Subject access requests

We recognise that individuals have the right to access their personal data and supplementary information and will comply with the one month timeframe for responses set down in the GDPR. As a general rule, a copy of the requested information will be provided free of charge although we reserve the right to charge a "reasonable fee" when a request is manifestly unfounded or excessive, particularly if it is repetitive. If this proves necessary, the data subject will be informed of their right to contest our decision with the supervisory authority (the Information Commissioner's Office (ICO)). As set out in the GDPR, any fee will be notified in advance and will be based on the administrative cost of providing the information.


We will implement data protection "by design and by default", as required by the GDPR. Safeguards will be built into products and services from the earliest stage of development and privacy-friendly default settings will be the norm.

Data transfers outside the EU

We do not transfer personal data outside the EU.


The GDPR provides for special protection for children’s personal data and we will comply with the requirement to obtain parental or guardian consent for any data processing activity involving anyone under the age of 16. Systems have been introduced to verify individuals’ ages.

GDPR contact

Any questions related to GDPR or to issues concerning data protection generally should initially be addressed to

Data Erasure

Data will not be retained beyond a time period that can be justified in accordance with current data protection legislation.

Electronic and/or paper data records will be disposed of confidentially, in a manner compliant with current best practice standards and current legislation. This will meet or exceed the standards required by General Data Protection Regulation (GDPR).

If for any reason, we are unable to act in response to a request for erasure, we will always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy. Such refusals to erase data include:

  • Compliance with a legal obligation for the performance of a task carried out in the public interest

  • For reasons of public interest in the area of public health

  • For the establishment, exercise or defence of legal claims

Data Loss

If a data breach should occur, or be suspected to have occurred, we will undertake the following:

  • Report the matter within the time limit required by the Information Commissioner’s Office (ICO)

  • Comply with the requirement to inform the data subject(s) and we will be guided by the ICO on this matter

  • Follow the prescribed procedure for managing a data breach, as determined by the ICO

  • Keep a record of personal data breaches, whether we are required to notify the ICO or not